locked
Client only installation procedure RRS feed

  • Question

  • My network history and configuration: small business with 25 desktops/laptops and AD with Exchange 2003 and Terminal Server running proprietary business app. Several users remote from home to the TS using VPN. When I got here all workstations were running Norton Internet Security and it doesn't work well in an AD environment. About 9 months ago I put OneCare on all workstations. That worked fine until recently but now OneCare is changing into something not very suitable for this business environment.

     

    The server based components of Forefront (MOM, FCS console, etc.) make the cost prohibitive compared to the cost of Norton or OneCare and I don't think the boss will spring for that much at this time. My plan was to install Forefront in a "standalone" manner on all computers and I'm currently testing the evaluation version on my workstation. However, I'm a little confused about configuring Forefront Client.

     

    Is there a way to create Security Policies without the console? If not, is there a way to configure each individual workstation? For example, I just turned off Windows Firewall and Forefront Client did nothing, not even some type of warning message. That's not a good thing. I'd prefer that users be prevented from doing something like turning off the firewall but I thought Forefront would at least give a warning message or indicate somehow that a less than secure configuration existed. Even OneCare does that.

     

    Any advice on configuring Forefront in standalone installs greatly appreciated. The boss isn't computer savvy and I can imagine his reaction if I say that what cost him $400 last year will cost him $4,000 this year.

    Tuesday, March 4, 2008 9:01 PM

Answers

  • Hi,

     

    You can use Forefront client security in standalone mode using the /nomom switch to clientsetup.exe. The client will then get it's updates from Microsoft update. Since you do not want to use the server based components you will miss the central reporting and config functions, however the local FCS klients write to the eventlog so if you can centarly monitor eventlogs you can at least get an overview of FCS activity in you environment.

    Event sources to monitor:

    Source Description

    FcsSas

    SSA scan event logged by a Client Security agent

    FCSAM

    Malware scan event logged by a Client Security agent

    Microsoft Forefront Client Security

    Client Security Management console event logged by the Client Security management server

     

    On the note of configuring...

    The policies are created on the server components and deployed to Active Directory. You can also configure the clients manualy, however this is not a good solution for many reasons. The settings are stored in the registry so in your case I would take a standard client, configure FCS with your settings and look in the registry. 

    The settings are stored in the registry so download the FCS technical documentation at http://www.microsoft.com/downloads/details.aspx?FamilyID=90044d88-299b-49fb-b762-eae17a1f01f4&DisplayLang=en

    Open the technical reference.doc document and reda under these headings:
    Registry keys

    Client Security setup and configuration registry keys

    Default Client Security agent settings

    Policy-created registry keys

    Policy settings and registry keys

    Settings exposed in the New/Edit Policy dialog box

    Settings not exposed in the console

     

    When you know where the settings are stored and the values you want (from your preconfigured FCS client) I would create an .adm file (GPO administrative template) with the desired settings and import that into your AD. if you dont wish to use .adm files you now have a .reg file you can import on all your clients.

     

    Hope you get some good ideas from this.

     

    Best of luck!

    /Johan

    Tuesday, March 4, 2008 10:51 PM

All replies

  • Hi,

     

    You can use Forefront client security in standalone mode using the /nomom switch to clientsetup.exe. The client will then get it's updates from Microsoft update. Since you do not want to use the server based components you will miss the central reporting and config functions, however the local FCS klients write to the eventlog so if you can centarly monitor eventlogs you can at least get an overview of FCS activity in you environment.

    Event sources to monitor:

    Source Description

    FcsSas

    SSA scan event logged by a Client Security agent

    FCSAM

    Malware scan event logged by a Client Security agent

    Microsoft Forefront Client Security

    Client Security Management console event logged by the Client Security management server

     

    On the note of configuring...

    The policies are created on the server components and deployed to Active Directory. You can also configure the clients manualy, however this is not a good solution for many reasons. The settings are stored in the registry so in your case I would take a standard client, configure FCS with your settings and look in the registry. 

    The settings are stored in the registry so download the FCS technical documentation at http://www.microsoft.com/downloads/details.aspx?FamilyID=90044d88-299b-49fb-b762-eae17a1f01f4&DisplayLang=en

    Open the technical reference.doc document and reda under these headings:
    Registry keys

    Client Security setup and configuration registry keys

    Default Client Security agent settings

    Policy-created registry keys

    Policy settings and registry keys

    Settings exposed in the New/Edit Policy dialog box

    Settings not exposed in the console

     

    When you know where the settings are stored and the values you want (from your preconfigured FCS client) I would create an .adm file (GPO administrative template) with the desired settings and import that into your AD. if you dont wish to use .adm files you now have a .reg file you can import on all your clients.

     

    Hope you get some good ideas from this.

     

    Best of luck!

    /Johan

    Tuesday, March 4, 2008 10:51 PM
  • Thanks for the informative answer. I do use a few OU group policies so that's the way I'll probably go. I'll have to get out my old group policy training manuals and review creating administrative templates but it all sounds very "doable." Again, thanks for the reply.

    Wednesday, March 5, 2008 7:17 PM
  • OneCare was $49.95 for 3 computers. That cost right at $400 for a year subscription. Now OneCare has truly become "security for dummies" - which is a good thing in some places - but is completely out of control and unmanageable in a small business environment. OK, what is Microsoft's next step up product? Forefront. But, even though "you can" install Forefront as "standalone" everyone essentially is saying that's not what it was designed for.

     

    OK. With the management console Forefront would cost me $2,800 per year, plus the cost of another server because mine are currently maxed out and extremely business critical. I wouldn't dare add another application, like SQL Server, to any existing servers.

     

    Requiring SQL Server is pricing this product too high for the 10 - 30 workstation businesses, and I'll bet there are far more seats at businesses that size than at all of the large organizations. We do 12 million a year in construction and it all runs on a 500 MB Access app that at least 15 people pound on all day and night. My point is that Microsoft could have easily had a "small business" version that runs on Access and priced it more like $200 - $300.

     

    Which brings me to the next point: why won't someone else do exactly that, build an FCS console "emulator" and make a ton of money selling it for $50 a pop? Wouldn't have to use the MOM agent. Build your own agent to monitor and gather stats. How hard would it be to create several standard security templates that a user could modify using existing tools?

     

    I'm usually very pro Microsoft but they are driving me away from using ANY of their workstation security solutions. I want OneCare off my workstations as soon as possible because it has truly become something for little old ladies who want to get on the Internet and email the grandchildren. IT ATTEMPTS TO LOGIN TO MY COMPANY FIREWALL TO INSURE I HAVE CHANGED THE FACTORY DEFAULT PASSWORD! TRACING DOWN WHO WAS TRYING TO HACK INTO MY FIREWALL TOOK A WHOLE DAY. Forefront costs so much its going to make me look like an idiot for getting rid of Norton, and I still have critics on that subject.

    Wednesday, March 5, 2008 10:35 PM